US7756140B2 - Relay device, path control method, and path control program - Google Patents
Relay device, path control method, and path control program Download PDFInfo
- Publication number
- US7756140B2 US7756140B2 US11/602,633 US60263306A US7756140B2 US 7756140 B2 US7756140 B2 US 7756140B2 US 60263306 A US60263306 A US 60263306A US 7756140 B2 US7756140 B2 US 7756140B2
- Authority
- US
- United States
- Prior art keywords
- mac address
- frame
- address
- terminal
- reply
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2596—Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Definitions
- the present invention relates to a relay device that performs LAN path control, a path control method, and a path control program.
- the present invention relates more particularly to a relay device or the like that implements security improvements including the collection of logs.
- Such security switches continually monitor traffic passing through them and have a function for preventing extended damage by discarding frames of the traffic upon sensing an anomalous traffic pattern such as a Dos (Denial of Service) attack, worm infection activity.
- Dos Delivery of Service
- An ordinary floor LAN is mostly connected to a plurality of terminals by means of a low-function switching hub or repeater hub or the like.
- a floor LAN is normally installed at the boundary point between the floor LAN and the backbone LAN so that the network device configuration is not affected in connecting a security switch.
- FIG. 24A shows a conventional constitutional example of a case where a security switch is provided in a floor LAN.
- a security switch 200 is provided between a backbone LAN and a floor LAN, and layer-2 switches (L2SW) 210 and 220 are disposed in subordination to the security switch 200 .
- L2SW layer-2 switches
- a client terminal A 230 and client terminal B 240 are each connected to the respective layer-2 switches 210 and 220 .
- the terminals A 230 and B 240 are arranged within the same floor LAN.
- ARP Address Resolution Protocol
- terminal A 230 transmits, by means of a broadcast, an ARP request frame that includes the IP address of the terminal B 240 and (2) terminal B 240 transmits an ARP reply frame that includes its own MAC (Media Access Control) address to the ARP request frame to terminal A.
- ARP request frame that includes the IP address of the terminal B 240
- terminal B 240 transmits an ARP reply frame that includes its own MAC (Media Access Control) address to the ARP request frame to terminal A.
- ARP reply frame that includes its own MAC (Media Access Control) address
- the terminal A 230 acquires the MAC address of terminal B 240 . Thereafter, terminal A 230 is able to transmit a communication frame to the MAC address of terminal B 240 (See FIG. 24B ). Thereupon, the layer-2 switches 210 and 220 search for learning tables held by themselves by using the MAC address as the search key and transmit frames to the destination physical port (physical port to which terminal B 240 is connected). Terminal B 240 then performs processing to receive frames because the received frames have its own MAC address.
- a switching hub comprises a table that stores a dummy MAC address that corresponds to a residential port, for example, and, if the destination MAC address of a frame received from the residential port is a dummy MAC address, the switching hub replaces the destination MAC address of the frame with the MAC address of a node that is connected to another residential port corresponding with the dummy MAC address in order to relay a frame (Japanese Patent Application No. 2003-318934, for example).
- avoidance of the above problem may also be considered by providing the layer-2 switches 210 and 220 in FIG. 24A with a security function.
- a security function when the layer-2 switches 210 and 220 are provided with such a security function, an increase in costs and production requirements is induced all the more. Therefore, an increase in security is desirable without changing the existing network configuration as far as is possible.
- the present invention was conceived in view of the above problems and an object of the present invention is to provide a relay device that implements security improvements including the collection of logs for the terminals in the floor LAN without changing the existing network configuration, and to provide a path control method and path control program.
- an embodiment of the present invention is a relay device in which a single or a plurality of layer-2 switches are connected in subordination to the same physical port and a single or a plurality of terminals are connected in subordination to the layer-2 switches, having: an address correspondence holding unit which holds, for each of the terminals, an IP address and real MAC address of the terminal and a virtual MAC address being a MAC address that is virtual; a proxy reply unit which reads the virtual MAC address of the corresponding terminal from the address correspondence holding unit upon receiving a first ARP request frame that seeks the acquisition of the virtual MAC address from the terminal, and sends back the virtual MAC address to the terminal; and a MAC address conversion unit that receives a first frame addressed to the virtual MAC address when the first frame is sent and received between the terminals, performs conversion of the virtual MAC address and real MAC address for the MAC address of the first frame and sends back a converted second frame.
- a further embodiment of the present invention is a network system in which a single or a plurality of layer-2 switches are connected in subordination to the same physical port of the relay device and a single or a plurality of terminals are connected in subordination to the layer-2 switches, wherein the relay device has: an address correspondence holding unit which holds, for each of the terminals, a IP address and real MAC address of the terminal and a virtual MAC address being a MAC address that is virtual; a proxy reply unit which, when a first ARP request frame that seeks the acquisition of the virtual MAC address from the terminal is received, reads the virtual MAC address of the corresponding terminal from the address correspondence holding unit and sends back the virtual MAC address to the terminal; and a MAC address conversion unit which receives a first frame addressed to the virtual MAC address when the first frame is sent and received between the terminals, performs conversion of the virtual MAC address and real MAC address for the MAC address of the first frame, and sends back a converted second
- a further embodiment of the present invention is a path control method for a relay device in which a single or a plurality of layer-2 switches are connected in subordination to the same physical port and in which a single or a plurality of terminals are connected in subordination to the layer-2 switches, having the steps of: receiving a first ARP reply frame from the terminal; reading a virtual MAC address of the corresponding terminal on the basis of the received first ARP reply frame from an address correspondence holding unit that holds, for each of the terminals, an IP address and real MAC address of the terminal and a virtual MAC address being a MAC address that is virtual, and sending back the virtual MAC address to the terminal; and receiving a first frame addressed to the virtual MAC address when the first frame is sent and received between the terminals, performing conversion of the virtual MAC address and real MAC address with respect to the MAC address of the first frame, and sending back a converted second frame.
- a further embodiment of the present invention is a path control program for a relay device in which a single or a plurality of layer-2 switches are connected in subordination to the same physical port and a single or a plurality of terminals are connected in subordination to the layer-2 switches, the path control program causing a computer to execute: processing to receive a first ARP reply frame from the terminal; processing to read a virtual MAC address of the corresponding terminal from an address correspondence holding unit that holds, for each of the terminals, an IP address and real MAC address of the terminal and the virtual MAC address being a MAC address that is virtual, and sending back the virtual MAC address to the terminal; and processing to receive a first frame addressed to the virtual MAC address when the first frame is sent and received between the terminals, perform conversion of the virtual MAC address and real MAC address with respect to the MAC address of the first frame, and send back a converted second frame.
- the present invention it is possible to provide a relay device that implements security improvements including the collection of logs for the terminals in the floor LAN without changing the existing network configuration, and to provide a path control method and path control program.
- FIG. 1 shows a constitutional example of a network
- FIG. 2 shows a constitutional example of a security switch and so forth
- FIG. 3 shows a constitutional example of a MAC frame
- FIG. 4 is an example of a flowchart that is executed by a security switch
- FIG. 5 is an example of a flowchart that is executed by the respective terminals
- FIG. 6A shows a constitutional example of an address correspondence holding section
- FIG. 6B shows an example of a learning table of a layer-2 switch C (L2SW_C)
- FIG. 6C shows an example of a learning table of a layer-2 switch D (L2SW_D);
- FIG. 7A shows an example of an ARP table of terminal A and FIG. 7B shows an example of an ARP table of terminal B;
- FIG. 8 shows another constitutional example of the security switch and so forth
- FIG. 9 is an example of another flowchart that is executed by a security switch
- FIG. 10 shows another constitutional example of a network
- FIG. 11 shows another constitutional example of the security switch and so forth
- FIG. 12 is an example of another flowchart that is executed by the security switch.
- FIG. 13 shows another constitutional example of the security switch and so forth
- FIG. 14 shows an example of another flowchart that is executed by the security switch
- FIG. 15 shows an example of another flowchart that is executed by the security switch
- FIG. 16 shows another constitutional example of the address correspondence holding section
- FIG. 17 shows another constitutional example of the security switch and so forth
- FIG. 18 is an example of another flowchart that is executed by the security switch.
- FIG. 19 shows another constitutional example of terminal B
- FIG. 20 shows another constitutional example of the network
- FIG. 21 shows an example of a log
- FIG. 22 is an example of another flowchart that is executed by the security switch.
- FIG. 23 is an example of another flowchart that is executed by the security switch.
- FIG. 24A shows an example of conventional ARP communication and FIG. 24B shows an example of communication in a conventional floor LAN.
- FIG. 1 shows a constitutional example of a network according to the first embodiment.
- a security switch 10 is disposed between the floor LAN 100 and backbone LAN and a layer-2 switch C (L2SW-C) 30 is provided in subordination to the security switch 10 . Further, a layer-2 switch D (L2SW_D) 40 is connected to the layer-2 switch C 30 . Client terminals A 50 and B 60 are connected to the layer-2 switches C 30 and D 40 respectively.
- L2SW-C layer-2 switch C
- L2SW_D layer-2 switch D
- the IP address and MAC address of the respective devices are allocated as shown in FIG. 1 .
- FIG. 2 shows a constitutional example of a security switch 10 and a client terminal B 60 .
- the security switch 10 comprises a frame transceiver section 11 , a security check section 12 , a MAC address conversion section 13 , an address correspondence holding section 14 , an address collection section 15 , a virtual MAC address generation section 16 , and an ARP proxy reply section 17 .
- the frame transceiver section 11 receives a variety of frames from the layer-2 switch C 30 .
- a frame is an ARP reply frame
- the frame transceiver section 11 outputs the frame to the address collection section 15 .
- the frame is output to the ARP proxy reply section 17 .
- Other frames are output to the security check section 12 and, if necessary, to the required backbone LAN 110 .
- FIG. 3 shows a constitutional example of such a MAC frame.
- the MAC frame has a field 301 that indicates whether ‘ARP’ protocol packet data are contained in the payload field. By confirming this field, the frame can be judged to be an ARP frame or another frame.
- the ARP packet data stored in the payload field has an operation code field 302 that indicates a ‘reply’ or ‘request’ and, by checking this field, the frame can be judged to be an ARP reply frame or an ARP request frame.
- the frame transceiver section 11 outputs a transmission frame from the MAC address conversion section 13 , an ARP request frame from the address collection section 15 , and an ARP reply frame from the ARP proxy reply section 17 to the layer-2 switch C 30 .
- the security check section 12 performs a security check on all the frames other than the received frame, that is, the ARP frame.
- the security check checks whether an originally unused value such as “FF . . . ” is contained in the source address of the MAC address in the frame, counts the number of received frames per hour, and performs a check depending on whether the count exceeds a threshold value (whether a so-called DoS attack has been performed).
- the security check section 12 performs processing such as discard processing, for example, on received frames that are not normal. Normal received frames are output to the downstream MAC address conversion section 13 .
- the MAC address conversion section 13 extracts the source MAC address and the destination MAC address from the received frame, searches the address correspondence holding section 14 , and converts a virtual MAC address in the received frame to a real MAC address and a real MAC address to a virtual MAC address.
- the MAC address conversion section 13 outputs the converted frame to the frame transceiver section 11 as a transmission frame. The details including the virtual MAC address will be described subsequently.
- the address correspondence holding section 14 holds a table in which an IP address, real MAC address, and virtual MAC address are one entry.
- the address collection section 15 generates an ARP request frame at fixed intervals for each address in the subnet (10.0.0.0/24: that is, all devices in the floor LAN 100 ) to which the floor LAN 100 belongs in order to implement a timer interrupt or the like, for example and outputs the ARP request frame to the frame transceiver section 11 . Further, the address collection section 15 extracts the IP address and real MAC address for the ARP reply frame from the frame transceiver section 11 and outputs the IP address and real MAC address to the virtual MAC address generation section 16 .
- the ARP reply frame from the frame transceiver section 11 is a reply frame for the ARP request frame and is transmitted from the respective terminals A 50 and B 60 .
- the virtual MAC address generation section 16 searches the address correspondence holding section 14 by taking the IP address and real MAC address from the address collection section 15 as the search key.
- the virtual MAC address generation section 16 When this set of two addresses has not been registered in the address correspondence holding section 14 , the virtual MAC address generation section 16 generates a virtual MAC address for the collected address (virtual MAC address) and stores a set of three addresses including this virtual MAC address in the address correspondence holding section 14 as one entry.
- the ARP proxy reply section 17 searches the address correspondence holding section 14 by using the destination IP address as a key upon receiving an ARP request frame from the frame transceiver section 11 .
- the virtual MAC address in the entry is read and an ARP reply frame in which the source MAC address is a virtual MAC address is generated and output to the frame transceiver section 11 .
- the ARP request frame from the frame transceiver section 11 is a frame that is transmitted in order to obtain a virtual MAC address from the respective terminal A 50 and B 60 and, by storing a virtual MAC address in the reply frame (ARP reply frame), each of the terminals A 50 and B 60 is able to acquire a virtual MAC address.
- the client terminal B 60 comprises a terminal-side frame transceiver section 61 and an ARP reply control section 62 .
- the terminal-side frame transceiver section 61 receives frames from the floor LAN 100 and, upon receipt of a self-addressed ARP request, outputs the frames to the ARP reply control section 62 . If the ARP request is not addressed to itself, the terminal-side frame transceiver section 61 receives an ARP reply frame from the ARP reply control section 62 and transmits the frame to the floor LAN 100 .
- the ARP reply control section 62 Upon receipt of an ARP request frame, the ARP reply control section 62 generates an ARP reply frame only when the source IP address is the IP address (‘10.0.0.1’) of the security switch 10 and outputs the ARP reply frame to the terminal-side frame transceiver section 61 . When the transmission source is not the ARP request frame from the security switch 10 , the ARP reply control section 62 discards the frame.
- the MAC address of the security switch 10 (‘00:11:11:11:11:01’) may also be checked instead of the IP address.
- the client terminal B 60 comprises an ARP table. Each time an ARP reply frame is received from terminal A 50 by the ARP reply control section 62 , an entry which is a set of the MAC address of terminal A 50 (virtual MAC address or real MAC address) and the IP address of terminal A 50 is added to the ARP table.
- Terminal B 60 is able to send and receive frames by using the virtual MAC address of terminal A 50 on the basis of the ARP table.
- client terminal A 50 also similarly comprises a terminal-side frame transceiver section and an ARP reply control section.
- the layer-2 switch C 30 and the layer-2 switch D 40 comprise a learning table which is a set of a MAC address (virtual MAC address or real MAC address) and an output port.
- a learning table which is a set of a MAC address (virtual MAC address or real MAC address) and an output port.
- entries of the learning table are added from the source MAC address and the connection port destination for frames that are input.
- FIG. 4 is an example of a flowchart of a security switch 10
- FIG. 5 is an example of a flowchart of terminals A 50 and B 60 .
- the overall operation is divided into three phases, namely, (1) the collection of addresses by the security switch 10 (the generation of virtual MAC addresses), (2) the address resolution of terminal A 50 with respect to terminal B 60 (acquisition of generated virtual MAC addresses), and (3) the transmission of frames by terminal A 50 to terminal B 60 (the transmission of frames on the basis of an acquired virtual MAC address).
- phases namely, (1) the collection of addresses by the security switch 10 (the generation of virtual MAC addresses), (2) the address resolution of terminal A 50 with respect to terminal B 60 (acquisition of generated virtual MAC addresses), and (3) the transmission of frames by terminal A 50 to terminal B 60 (the transmission of frames on the basis of an acquired virtual MAC address).
- the address collection section 15 of the security switch 10 determines the IP address of the collection destination (S 31 ) for the sake of timer interruption (S 30 ).
- the IP address of terminal A 50 is the target.
- the address collection section 15 generates an ARP request frame for terminal A 50 (S 32 ).
- the ARP request frame renders the source MAC address ‘00:11:11:11:01’ (MAC address of security switch 10 ), renders the source IP address ‘10.0.0.1.’ (IP address of security switch 10 ), renders the destination MAC address ‘FF:FF:FF:FF:FF’ (broadcast transmission), and renders the destination IP address ‘10.0.0.2’ (IP address of terminal A 50 ).
- the address collection section 15 outputs the ARP request frame thus generated to the frame transceiver section 11 .
- the frame transceiver section 11 transmits the ARP request frame to the floor LAN 100 .
- the layer-2 switch C 30 Upon receiving the frame, the layer-2 switch C 30 registers the MAC address (MAC address ‘00:11:11:11:11:01’ of the security switch 10 constituting the transmission source) and the connection port (‘Port 2’ as shown in FIG. 1 ) in the learning table. In addition, because the destination MAC address of the frame is a broadcast address, layer-2 switch C 30 transmits the frame to all the ports (‘Port 1’ and ‘Port3’ of layer-2 switch C 30 ).
- the layer-2 switch D 40 Upon receipt of the ARP request frame, the layer-2 switch D 40 registers the MAC address (MAC address ‘00:11:11:11:11:01’ of the security switch 10 constituting the transmission source) and the connection port (‘Port 1’ of the layer-2 switch D 40 ) in the learning table. Furthermore, because the destination MAC address of the frame is a broadcast address, the layer-2 switch D 40 transmits the frame to all the ports (‘Port2’ of layer-2 switch).
- terminal B 60 terminal-side frame transceiver section 61 of terminal B 60
- receives the ARP frame S 40 of FIG. 5
- the destination IP address is the IP address of the terminal A 50 and this is not an ARP request frame addressed to its own IP address (‘N’ in S 41 )
- terminal B 60 discards the frame (S 47 ).
- terminal A 50 when terminal A 50 receives the ARP frame (S 40 ), because this is an ARP request frame addressed to its own IP address (‘Y’ in S 41 and ‘N’ in S 42 ), the terminal-side frame transceiver section transfers the frame to the ARP reply control section.
- the ARP reply control section Because the transmission source of the frame is the security switch 10 (‘Y’ in S 44 ), the ARP reply control section generates an ARP reply frame (S 45 ). The terminal-side frame transceiver section then transmits the frame to the ARP reply control section (S 46 ).
- the ARP reply frame is a frame that renders the source MAC address ‘00:11:11:11:02’ (IP address of terminal A 50 ), renders the source IP address ‘10.0.0.2’ (IP address of terminal A 50 ), renders the destination MAC address ‘00:11:11:11:11:01’ (MAC address of security switch 10 ), and renders the destination IP address ‘10.0.0.1’ (IP address of security switch 10 ).
- the layer-2 switch C 30 that has received the ARP reply frame registers the MAC address (MAC address ‘00:11:11:11:11:02’ of terminal A 50 which is the transmission source) and the connection port (‘Port 1’) from the frame in the learning table.
- the layer-2 switch C 30 transmits the frame to the connecting port (‘Port2’) of the destination MAC address (MAC address of security switch 10 ).
- the frame transceiver section 11 of the security switch 10 Upon receipt of the frame (S 10 ), the frame transceiver section 11 of the security switch 10 judges whether the frame is a self-addressed ARP reply frame (S 11 ). In this case, because the frame is an ARP reply frame addressed to itself (‘Y’ in S 11 ), the frame transceiver section 11 outputs the frame to the address collection section 15 .
- the address collection section 15 outputs the source IP address of the ARP reply frame (IP address ‘10.0.0.2’ of terminal A 50 ) and the source MAC address (MAC address ‘00:11:11:11:11:02’ of terminal A 50 ) to the virtual MAC address generation section 16 .
- the virtual MAC address generation section 16 searches the address correspondence holding section 14 by using the source IP address and source MAC address (or either one) as the search key (S 12 ) and judges whether registration is complete (S 13 ).
- the virtual MAC address generation section 16 generates a virtual MAC address (S 14 ).
- the virtual MAC address is generated on the basis of a real MAC address (in this case, the MAC address ‘00:11:11:11:11:02’ of terminal A 50 which is the transmission source).
- a real MAC address in this case, the MAC address ‘00:11:11:11:11:02’ of terminal A 50 which is the transmission source.
- the G/L (Global/Local) bit second lower-order bit of first octet of MAC address) of the MAC header of the ARP reply frame (MAC frame) is ‘1’, for example.
- the first object ‘00’ of the MAC address is a ‘hexadecimal’
- it when corrected to a ‘binary’ value, it becomes ‘0000 0000’ and, supposing that the lower-order second bit is ‘1’, it is then ‘0000 0010’.
- the first octet changes from ‘00’ to ‘02’ and the virtual MAC address is then ‘02:11:11:11:11:02’.
- the virtual MAC address may be generated by using values that are not ordinarily used.
- the security switch 10 is able to judge that all bits are a virtual MAC address.
- the virtual MAC address generation section 16 registers the generated virtual MAC address (virtual MAC address ‘02:11:11:11:02’ of terminal A 50 ), the IP address (IP address ‘10.0.0.2’ of terminal A 50 ), and the real MAC address (MAC address ‘00:11:11:11:11:02’ of terminal A 50 ) in the address correspondence holding section 14 as one entry (S 15 ).
- the security switch 10 registers a virtual MAC address (‘02:11:11:11:03’) of terminal B 60 , an IP address (‘10.0.0.3’), and a real MAC address (‘00:11:11:11:11:03’) in the address correspondence holding section 14 .
- FIG. 6A The example of the table registered in the address correspondence holding section 14 is shown in FIG. 6A .
- terminal A 50 performs address resolution for terminal B 60 (acquisition of generated virtual MAC address) will be described.
- terminal A 50 transmits an ARP request frame to the security switch 10 .
- the source MAC address of the ARP request frame is ‘00:11:11:11:11:02’ (MAC address of terminal A 50 )
- the source IP address is ‘10.0.0.2’ (IP address of terminal A 50 )
- the destination MAC address is ‘FF:FF:FF:FF:FF’ (broadcast address)
- the destination IP address is ‘10.0.0.3’ (IP address of terminal B 60 ).
- the layer-2 switch C 30 When the layer-2 switch C 30 receives the ARP request frame, because the destination MAC address represents a broadcast address, the layer-2 switch C 30 transmits the frame to all the ports.
- the layer-2 switch D 40 When the layer-2 switch D 40 receives an ARP request frame, a source MAC address (MAC address ‘00:11:11:11:11:02’ of terminal A 50 ) and connection port (‘Port 1’) are registered in the learning table. Further, the layer-2 switch D 40 transmits the frame to all the ports because the destination MAC address is a broadcast address.
- MAC address ‘00:11:11:11:11:02’ of terminal A 50 MAC address ‘00:11:11:11:11:02’ of terminal A 50
- connection port ‘Port 1’
- terminal B 60 Upon receipt of the ARP request frame (S 40 ), terminal B 60 outputs the frame to the ARP reply control section 62 (‘Y’ in S 41 , ‘Y’ in S 42 ).
- the terminal-side frame transceiver section 61 judges whether the received frame is an ARP request frame (S 42 ) but this is judged from the respective fields 301 and 302 in the frame (See FIG. 3 ) in the same way as the frame transceiver section 11 of the security switch 10 .
- the ARP reply control section 62 discards the frame (S 47 ) and does not create a reply frame.
- the respective terminals A 50 and B 60 have a function that creates a reply frame (ARP reply frame) only when an ARP request frame of which the transmission source is the security switch 10 is received and which, when a frame other than this frame is received, discards the received frame.
- ARP reply frame ARP reply frame
- the frame transceiver section 11 of the security switch 10 transfers the frame to the ARP proxy reply section 17 (S 21 ).
- the ARP proxy reply section 17 searches the address correspondence holding section 14 for the destination IP address of the ARP request frame (IP address ‘10,0,0,3’ of terminal B 60 ) as the search key (S 22 ).
- the entry concerned has been registered in (Phase 1) (‘Y’ in S 23 ).
- the entry has not been registered (‘N’ in S 23 )
- the received ARP request frame is discarded (S 16 ).
- the ARP proxy reply section 17 acquires a corresponding virtual MAC address (virtual MAC address ‘02:11:11:11:11:03’ of terminal B 60 ) from the address correspondence holding section 14 and then creates an ARP reply frame for the ARP request frame (S 24 ).
- the source MAC address of the ARP reply frame is ‘02:11:11:11:11:03’ (virtual MAC address of terminal B 60 ), the source IP address is ‘10.0.0.3’ (IP address of terminal B 60 ), the destination MAC address is ‘00:11:11:11:11:02’ (MAC address of terminal A 50 ), and the destination IP address is ‘10.0.0.2’ (IP address of terminal A 50 ).
- the transmission destination physical port is determined (S 17 ) and the ARP reply frame thus generated is transmitted from this port to the floor LAN 100 (S 18 ).
- the layer-2 switch C 30 Upon receiving the ARP reply frame, the layer-2 switch C 30 registers the source MAC address (virtual MAC address of terminal B 60 ‘02:11:11:11:11:03’) and the connection port (‘Port2’) in the learning table. Further, the layer-2 switch C 30 references the learning table and transmits the frame to the port (‘Port2’) to which the destination MAC address (the MAC address of terminal A 50 ‘00:11:11:11:11:02’) is connected.
- Terminal A 50 receives the ARP reply frame and acquires the virtual MAC address (‘02:11:11:11:03’) of terminal B 60 (S 40 , ‘Y’ in S 41 , ‘N’ in S 42 , and S 43 ).
- terminal B 60 is also able to transmit the ARP request frame to the security switch 10 and acquire the virtual MAC address of terminal A 50 from the ARP reply frame which is the reply frame.
- terminal A 50 transmits the frame to terminal B 60 on the basis of the acquired virtual MAC address.
- Terminal A 50 transmits the frame to terminal B 60 .
- the source MAC address of the frame is ‘00:11:11:11:11:02’ (MAC address of terminal A 50 ))
- the source IP address is ‘10.0.0.2’ (IP address of terminal A 50 )
- the destination MAC address is ‘02:11:11:11:11:03’ (virtual MAC address of terminal B 60 )
- the destination IP address is ‘10.0.0.3’ (IP address of terminal B 60 ).
- the layer-2 switch C 30 Upon receipt of the frame, the layer-2 switch C 30 references the learning table and transmits the frame to the port (‘Port2’) to which the destination MAC address (virtual MAC address ‘02:11:11:11:11:03’ of terminal B 60 ) is connected. The entry is created in phase 2.
- the frame transceiver section 11 of the security switch 10 When the frame transceiver section 11 of the security switch 10 receives the frame (S 10 , ‘N’ in S 20 ), the frame transceiver section 11 outputs the frame to the security check section 12 .
- the security check section 12 checks the security of the received frame (S 25 ) and outputs the frame to the MAC address conversion section 13 (‘Y’ in S 25 ).
- the security check section 12 discards the frame when a problem occurs as a result of checking the security of the received frame (S 27 ). This serves to prevent infection of the devices in the floor LAN 100 because a worm or Dos infection or the like has occurred.
- the security check section 12 may display information indicating that a problem has occurred on the display section instead of discarding the frame and perform processing to obtain a log or the like.
- the MAC address conversion section 13 searches the address correspondence holding section 14 by using the source MAC address (MAC address ‘00:11:11:11:11:02’ of terminal A 50 ) as the search key and obtains the virtual MAC address (virtual MAC address ‘02:11:11:11:11:02’ of terminal A 50 , generated in Phase 1) (‘Y’ in S 26 , S 28 ).
- the MAC address conversion section 13 rewrites the source MAC address of the received frame with the acquired virtual MAC address (S 29 ).
- the MAC address conversion section 13 searches the address correspondence holding section 14 by using the destination MAC address in the received frame (the virtual MAC address ‘02:11:11:11:11:03’ of terminal B 60 ) as the search key (S 28 ) and acquires the real MAC address (real MAC address ‘00:11:11:11:11:03’ of terminal B 60 ). The MAC address conversion section 13 then rewrites the destination MAC address of the received frame (virtual MAC address) with the acquired real MAC address (S 29 ).
- the source MAC address is ‘02:11:11:11:02’ (virtual MAC address of terminal A 50 )
- the source IP address is ‘10.0.0.2’ (IP address of terminal A 50 )
- the destination MAC address is ‘00:11:11:11:11:03’ (real MAC address of terminal B 60 )
- the destination IP address is ‘10.0.0.3’ (IP address of terminal B 60 ).
- the MAC address conversion section 13 outputs the rewritten frame to the frame transceiver section 11 and the frame transceiver section 11 transmits the frame to the floor LAN 100 (S 17 , S 18 ).
- the layer-2 switch C 30 Upon receipt of the transmitted frame, the layer-2 switch C 30 registers the source MAC address ‘02:11:11:11:02’ (virtual MAC address of terminal A 50 ), and the connection port (‘Port1’) in the learning table and transmits the frame to the port (‘Port2’) to which the destination MAC address (‘00:11:11:11:11:03’) is connected.
- terminal B 60 receives the transmitted frame (S 40 , ‘Y’ in S 41 , ‘N’ in S 42 , S 43 ).
- the transmission of the frame from terminal B 60 to terminal A 50 can also be implemented in the same way by means of this phase 3 and procedure.
- FIGS. 6B and 6C examples of the learning tables of the respective layer-2 switches C 30 and D 40 are shown in FIGS. 6B and 6C and the examples of the ARP tables of the respective terminals A 50 and B 60 are shown in FIGS. 7A and 7B .
- the security switch 10 that implements an increase in security can be provided for terminals A 50 and B 60 in floor LAN 100 .
- the second embodiment will be described next.
- the second embodiment is an example in which a virtual MAC address is created without using an ARP request frame and ARP reply frame in order to increase the security.
- FIG. 8 is a constitutional example of a security switch 10 of the second embodiment.
- a server 120 IP address is ‘20.0.0.1’
- default gateway 130 the MAC address is ‘00:11:11:11:11:10’
- Other network configuration examples are substantially the same as that of the first embodiment.
- terminal A 50 and B 60 are the same as those of the first embodiment and the constitution of the security switch 10 is also substantially the same as that of the first embodiment.
- the address collection section 15 of the security switch 10 differs from the first embodiment and the source IP address and the source MAC address are extracted from the header information of the frame received from the floor LAN 100 and output to the virtual MAC address generation section 16 .
- phase 1 address collection phase by the security switch 10
- FIG. 9 shows an example of a flowchart of the security switch 10 of the second embodiment. The same numerals have been assigned to the same processing as the example shown in FIG. 4 .
- Terminal A 50 generates the frame that is to be transmitted to server 120 .
- the source MAC address of the frame is ‘00:11:11:11:11:02’ (MAC address of terminal A 50 )
- the source IP address is ‘10.0.0.2’ (the IP address of terminal A 50 )
- the destination IP address is ‘20.0.0.2’ (the IP address of the server 120 )
- the destination MAC address is ‘00:11:11:11:11:10’ (the MAC address of the gateway 130 ).
- the layer-2 switch C 30 Upon receipt of the frame, the layer-2 switch C 30 references the learning table and transmits the frame to the port (‘Port2’) to which the destination MAC address (‘00:11:11:11:11:10’) is connected.
- the frame transceiver section 11 of the security switch 10 When the frame transceiver section 11 of the security switch 10 receives the frame (S 10 ), the frame transceiver section 11 transfers the frame to the backbone LAN 110 . Further, because the frame is the received frame from the floor LAN 100 , the frame is also duplicated and transferred to the address collection section 15 .
- the address collection section 15 outputs the source IP address of the received frame (the IP address ‘10.0.0.2’ of terminal A 50 and the source MAC address (the MAC address ‘00:11:11:11:11:02’ of terminal A 50 ) to the virtual MAC address generation section 16 .
- the virtual MAC address generation section 16 searches the address correspondence holding section 14 by using the source IP address and the source MAC address (or either one) as the search key (S 50 ). In this example, because the virtual MAC address of terminal A 50 has not been registered (‘N’ in S 51 ), the virtual MAC address is generated (S 52 ).
- the virtual MAC address generation section 16 generates a virtual MAC address (virtual MAC address ‘02:11:11:11:02’ of terminal A 50 ) on the basis of the real MAC address in the same way as in the first embodiment. Further, the virtual MAC address, IP address (‘10.0.0.2’) and real MAC address (‘00:11:11:11:11:02’) are registered in the address correspondence holding section 14 (S 53 ).
- the security switch 10 is able to collect addresses on the basis of the received frame from the floor LAN 100 and generate the virtual MAC addresses of the respective terminals A 50 and B 60 in the floor LAN 100 .
- the subsequent processing is the same as that of the first embodiment.
- the amount of data transferred into the floor LAN 100 can be proportionately reduced and the effective utilization of the network resources can be achieved.
- terminal A 50 is able to transmit the ARP request frame to the security switch 10 and, by receiving the reply frame, terminal A 50 is able to acquire the virtual MAC address of terminal B 60 (phase 2)
- the frame can be transferred to the security switch 10 (phase 3).
- the security switch 10 that improves the security without changing the network configuration can be provided.
- the third embodiment is an example in which, in communication that is in subordination to the same physical port of the security switch 10 , communication is made to pass through the security switch 10 by using the same virtual MAC address as in the first embodiment and so forth and, in communication that in subordination to other physical ports, communication is made to pass through the security switch 10 without performing such processing.
- FIG. 10 shows a constitutional example of the network according to the third embodiment.
- the same numerals have been assigned to the same parts as those of the first embodiment and so forth.
- a terminal C 70 is connected to a different physical port of the security switch 10 (‘Port2’, for example).
- FIG. 11 is a constitutional example of the security switch 10 and so forth.
- the constitution of the security switch is substantially the same as that of the first embodiment but for the addition of a terminal connection port holding section 18 .
- the terminal connection port holding section 18 holds the real MAC address of the terminal and physical port information of the connection destination.
- the address collection section 15 receives an ARP reply frame from the frame transceiver section 11 , the address collection section 15 registers the reception physical port number of the frame and the source MAC address in the terminal connection port holding section 18 .
- the other functions are the same as those of the first embodiment.
- the ARP proxy reply section 17 receives a reception port number together with the ARP request frame from the frame transceiver section 11 .
- the ARP proxy reply section 17 searches the address correspondence holding section 14 by using the destination IP address as the search key. Further, the terminal connection port holding section 18 is searched by using the real MAC address thus obtained as the search key and the physical port number is obtained. It is judged whether subordination is to the same physical port as the reception port by comparing the obtained physical port number and the port number from the frame transceiver section 11 . Based on the judgment result, a virtual MAC address is sent back when the port is the same as the reception port and a real MAC address is sent back when the port is another port.
- the frame transceiver section 11 outputs the reception physical port number to the address collection section 15 and ARP proxy reply section 17 .
- information indicating the physical port number is stored in the memory, for example, and, when a frame is received by a certain physical port, this information is output together with the frame.
- FIG. 12 shows an example of a flowchart of a security switch 10 of the third embodiment.
- the same numerals have been assigned to the same processing as that of the first embodiment ( FIG. 4 ).
- the processing of the respective terminals A 50 is as per the flowchart in FIG. 5 as in the case of the first embodiment.
- Each of the phases of phases 1 to 3 will now be described as per the first embodiment.
- the processing is the same as that of the first embodiment up until a ARP request frame is generated by the address collection section 15 of the security switch 10 and terminal A 50 transmits an ARP reply frame in response to this frame.
- the learning tables generated by the layer-2 switches C 30 and D 40 are also the same and the fact that the ARP request frame received by the terminal B 60 is discarded and a reply is not made is also the same as in the first embodiment.
- the frame transceiver section 11 of the security switch 10 receives the ARP reply frame (S 10 of FIG. 12 ), because the ARP reply frame is a reply frame addressed to itself (‘Y’ in S 11 ), the ARP reply frame and the reception physical port number (‘Port1’) is output to the address collection section 15 .
- the address collection section 15 outputs the source IP address of the ARP reply frame (the IP address of terminal A 50 is ‘10.0.0.2’) and outputs the source MAC address (‘00:11:11:11:11:02’) to the virtual MAC address generation section 16 .
- the address collection section 15 outputs the source MAC address and reception physical port number (‘Port1’) to the terminal connection port holding section 18 and the information is saved (S 60 ).
- the virtual MAC address generation section 16 searches the address correspondence holding section 14 by using the source IP and MAC address (or either one) as the search key but a relevant entry is not found (S 12 , ‘N’ in S 13 ), the virtual MAC address generation section 16 generates a virtual MAC address (S 14 ).
- the virtual MAC address generation section 16 generates a virtual MAC address (virtual MAC address ‘02:11:11:11:02’ of terminal A 50 ) on the basis of a real MAC address.
- the rule for generation is the same as that of the first embodiment.
- the generated virtual MAC address is registered in the address correspondence holding section 14 together with the real MAC address and IP address (S 15 ).
- the virtual MAC address is registered and the entry of terminal A 50 (MAC address ‘00:11:11:11:11:02’, port number ‘Port1’) are registered in the terminal connection port holding section 18 .
- terminal B 60 MAC address ‘00:11:11:11:11:03’, port number ‘Port1’
- terminal C 70 MAC address ‘00:11:11:11:11:04’ and port number ‘Port2’
- the transmission by terminal A 50 of an ARP request frame by means of a broadcast is the same as that of the first embodiment.
- the difference is the processing by the security switch 10 that receives the frame (S 61 to S 63 ).
- the frame transceiver section 11 of the security switch 10 upon receipt of the ARP request frame (S 10 ), the frame transceiver section 11 of the security switch 10 outputs the frame and the reception physical port number (‘Port1’) to the ARP proxy reply section 17 (‘N’ in S 11 and ‘Y’ in S 20 , S 21 ).
- the ARP proxy reply section 17 searches the address correspondence holding section 14 by means of the destination IP address of the ARP request frame (IP address ‘10.0.0.3’ of terminal B 60 ) (S 22 ) and acquires the relevant real MAC address ‘00:11:11:11:03’ and the virtual MAC address ‘02:11:11:11:11:03’ (‘Y’ in S 23 ).
- the ARP proxy reply section 17 searches the terminal connection port holding section 18 by using the real MAC address thus obtained as the search key (S 61 ) and acquires the port number ‘Port1’.
- the port number is the same as the reception physical port number ‘Port1’ from the frame transceiver section 11 (‘Y’ in S 62 ).
- reception port reception physical port number
- port transmitted to the destination port number
- processing that is the same as that of the first embodiment that is, processing that uses a virtual MAC address (processing following S 63 ) is performed.
- the ARP proxy reply section 17 creates an ARP reply frame (S 63 ) and transmits the frame to ‘Port1’ (S 17 ).
- Terminal A 50 acquires the virtual MAC address of terminal B 60 .
- terminal A 50 transmits the ARP request frame by means of a broadcast.
- the MAC address and IP address of the transmission source of the ARP request frame is the address of terminal A (‘00:11:11:11:11:02’ and ‘10.0.0.2’ respectively)
- the destination MAC address is the broadcast address ‘FF:FF:FF:FF:FF’
- the destination IP address is the address ‘10.0.0.4’ of terminal C 70 .
- the layer-2 switches C 30 and D 40 When the layer-2 switches C 30 and D 40 receive the ARP request frame, because the ARP request frame is a broadcast address, the layer-2 switches C 30 and D 40 transmit the frame to all the ports.
- terminal B 60 discards the ARP request frame (‘N’ in S 41 , S 47 ).
- the frame transceiver section 11 of the security switch 10 When the frame transceiver section 11 of the security switch 10 receives the ARP request frame (S 10 ), because the ARP request frame is a broadcast address, the frame transceiver section 11 transmits the frame to ‘Port2’. Further, the frame transceiver section 11 outputs the reception physical port number ‘Port1’, the ARP request frame to the ARP proxy reply section 17 (‘N’ in S 11 and ‘Y’ in S 20 , S 21 ).
- the ARP proxy reply section 17 searches the address correspondence holding section 14 by means of the destination IP address ‘10.0.0.4’ of the ARP request frame and acquires the relevant real MAC address ‘00:11:11:11:11:04’ and the virtual MAC address ‘02:11:11:11:11:04’ (S 22 , ‘Y’ in S 23 ).
- the ARP proxy reply section 17 searches the terminal connection port holding section 18 by using the real MAC address thus obtained as the search key (S 61 ) and acquires the port number ‘Port2’. This number is a different number from the reception path port number ‘Port1’ (‘N’ in S 62 ) and therefore an ARP reply frame is created by means of a real MAC address (S 64 ).
- the created ARP reply frame is a frame in which the transmission source is the address of terminal C 70 (‘00:11:11:11:04’, IP address ‘10.0.0.4’ of the real MAC address), and the destination is the address of terminal A 50 (MAC address ‘00:11:11:11:11:02’ and IP address ‘10.0.0.2’).
- the source MAC address is not the virtual MAC address and uses the real MAC address.
- the frame transceiver section 11 outputs the ARP reply frame to ‘Port1’.
- the layer-2 switch C 30 Upon receipt of the ARP reply frame, the layer-2 switch C 30 references the learning table and transmits the frame to port ‘Port1’ to which the destination MAC address ‘00:11:11:11:11:02’ is connected.
- Terminal A 50 receives the ARP reply frame (S 40 ) and acquires the real MAC address of terminal C 70 . Thereafter, terminal A 50 communicates with terminal C 70 by using the real MAC address. Thereupon, communication is made from terminal A 50 to terminal C 70 via the security switch 10 by means of a normal layer-2 relay. Therefore, the security can be increased because the transmitted frame passes through the security check section 12 of the security switch 10 .
- terminal C 70 acquires the real MAC address of terminal A 50 and communicates by using the address. In this case also, the frame is sent and received via the security switch 10 . Furthermore, the processing can be performed in exactly the same way between terminals B 60 and C 70 .
- the IP address of the respective terminals A 50 and port information may be registered, for example. This may be an identifier that makes it possible to identify the respective terminals A 50 .
- Both the noncorresponding terminal and also the security switch 10 reply to the ARP request frame from terminal A 50 and, when terminal A 50 adopts an ARP reply from the noncorresponding terminal, the terminal A 50 is able to acquire a real MAC address of the noncorresponding terminal. Hence, the noncorresponding terminal is able to acquire the virtual MAC address of terminal A 50 and communication using a virtual MAC address can be made via the security switch 10 .
- the security switch 10 detects the noncorresponding terminal in the fourth embodiment, the virtual MAC address cannot be acquired.
- FIG. 13 is a constitutional example of terminal B 60 and the security switch 10 of the fourth embodiment. In comparison with the first embodiment ( FIG. 2 ), a noncorresponding terminal detection section 19 has been added.
- the noncorresponding terminal detection section 19 creates an ARP request frame by means of a source address that is different from its own device address for a real MAC address that is registered in the address correspondence holding section 14 and outputs the ARP request frame to the frame transceiver section 11 .
- the corresponding terminal has a function that generates an ARP reply frame only in the event of an ARP request frame from the security switch 10 . Therefore, when an ARP request frame with a source address which is not the security switch 10 is transmitted to a certain terminal and an ARP reply frame is sent back, the terminal can be judged to be a noncorresponding terminal. When, on the other hand, an ARP reply frame is not sent back, the terminal can be judged to be a corresponding terminal.
- the noncorresponding terminal detection section 19 registers flag information indicating whether the noncorresponding terminal is a corresponding terminal on the basis of the judgment result in the address correspondence holding section 14 . For example, a corresponding terminal discrimination field in which it is recorded that the corresponding terminal is ‘1’ and the noncorresponding terminal is ‘0’ is added to the address correspondence holding section 14 .
- the ARP proxy reply section 17 does not generate the ARP reply frame. Otherwise, this is the same as the first embodiment.
- FIG. 14 is an example of the flowchart of the security switch 10 of the fourth embodiment.
- the network configuration will be described by means of the example of the third embodiment ( FIG. 10 ).
- Terminal C 70 is the scanning target terminal.
- the noncorresponding terminal detection section 19 reads the address correspondence holding section 14 by means of the timer interrupt processing (S 80 ) and acquires the destination IP address of the scanning target (S 81 ). Further, the timer is set (‘4’ seconds, for example) (S 82 ) and creates an ARP request frame the transmission source of which is not the security switch 10 (S 83 ).
- the source MAC address is ‘00:11:11:11:11:99’ and the source IP address is ‘10.0.0.99’
- a source address other than that of the security switch 10 may be indicated and an address that is not used by the device in another floor LAN 100 is possible.
- the destination MAC address is ‘FF:FF:FF:FF:FF’ and the destination IP address is ‘10.0.0.4’ (IP address of terminal C 70 ).
- the frame is transmitted from the frame transceiver section 11 (S 17 , S 18 ).
- terminal C 70 is a corresponding terminal and the IP address (or MAC address) of the transmission source is not that of the security switch 10 , the reply frame is not created. If terminal C 70 is a noncorresponding terminal, because a reply is made to the ARP request frame, the ARP reply frame is transmitted.
- FIG. 15 is an example of a flowchart for discriminating the noncorresponding terminal of the security switch 10 .
- the terminal is recorded in the address correspondence holding section 14 as a corresponding terminal (S 92 ).
- the noncorresponding terminal detection section 19 records the terminal being investigated in the address correspondence holding section 14 as a noncorresponding terminal (S 71 ).
- FIG. 16 is an example of a table that is stored in the address correspondence holding section 14 . This is an example in which terminal C 70 is recorded as a noncorresponding terminal.
- the ARP proxy reply section 17 when terminal C 70 transmits the ARP request frames addressed to the respective floor terminals (‘Y’ in S 20 ), the ARP proxy reply section 17 generates an ARP reply frame only in the case of a corresponding terminal (‘Y’ in S 72 , S 24 ). When the terminal is not a corresponding terminal (‘N’ in S 72 ), the received ARP request frame is discarded (S 16 ) and does not generate the ARP reply frame.
- the noncorresponding terminal is unable to obtain a virtual MAC address, communication cannot be made from the noncorresponding terminal to the corresponding terminal and communication can be blocked.
- the terminal that represents a security threat is connected to the floor LAN 100 and the worm or other infection can be prevented from infecting other terminals in the floor LAN 100 .
- the other processing is the same as that of the first embodiment.
- a security switch 10 that improves security can be provided without changing the network configuration also in the fourth embodiment.
- the fifth embodiment will be described next.
- the fifth embodiment is an example in which, by checking whether another terminal is using the same IP address, changes to the IP address of the terminal and duplication of the IP address as a result of a setting mistake or the like are prevented.
- FIG. 17 shows a constitutional example of the security switch 10 and so forth of the fifth embodiment
- FIG. 18 shows an example of a flowchart of the security switch 10 of the fifth embodiment.
- the security switch 10 of the fifth embodiment is obtained by adding an ARP reply judgment section 20 to the first embodiment ( FIG. 2 ).
- the ARP reply judgment section 20 judges the existence of the reply to the ARP request frame called a Gratuitous ARP frame that is transmitted from terminal A 50 or the like.
- the Gratuitous ARP frame is a frame in which, when the IP address of terminal A 50 or the like is changed, the changed IP address is stored in both fields of the source IP address and destination IP address of the ARP request frame.
- the ARP reply judgment section 20 searches the address correspondence holding section 14 by using the address as the search key when the source IP address and the destination IP address are the same.
- a set of the source IP address and source MAC address is registered in the address correspondence holding section 14 or, if (Phase 1) of the first embodiment has not been executed, the set is not registered. If the source IP address of the Gratuitous ARP frame is registered in the address correspondence holding section 14 and the source MAC address corresponding with the IP address is not registered, the IP address is registered as the IP address of another terminal. That is, duplication of the address occurs.
- the security switch 10 must report the fact that duplication of the address has occurred to terminal A 50 that transmitted the frame.
- the ARP reply frame is transmitted to terminal A 50 and so forth and, if duplication has not occurred, this frame is not transmitted.
- terminal A 50 or the like that transmitted the Gratuitous ARP frame is able to check the duplication of the IP address.
- the ARP proxy reply section 17 outputs the frame to the ARP reply judgment section 20 .
- An ARP reply frame is created only when the reply instruction has been input from the ARP reply judgment section 20 .
- a case where the terminal A 50 performs IP address changes and so forth and transmits a Gratuitous ARP frame may be considered.
- the source MAC address is the MAC address (‘00:11:11:11:11:02’) of terminal A 50 and both the source IP address and the destination IP address are both the IP address of terminal A 50 (‘10.0.0.2’) and the destination MAC address is the broadcast address (‘FF:FF:FF:FF:FF’).
- the frame transceiver section 11 of the security switch 10 When the frame transceiver section 11 of the security switch 10 receives the frame (S 10 ), the frame transceiver section 11 transfers the frame to the ARP proxy reply section 17 (‘N’ in S 11 , ‘Y’ in S 20 , S 21 ).
- the ARP proxy reply section 17 searches the address correspondence holding section 14 by means of the destination IP address (‘10.0.0.2’) (S 22 ) and acquires the relevant virtual MAC address (‘02:11:11:11:11:02’) (‘Y’ in S 23 ). Further, the ARP proxy reply section 17 outputs the Gratuitous ARP frame to the ARP reply judgment section 20 .
- the ARP reply judgment section 20 is the same as the source IP address of the frame and the destination IP address and searches the address correspondence holding section 14 (S 100 ). As a result of the search, the ARP reply judgment section 20 acquires the relevant actual MAC address (‘00:11:11:11:11:02’).
- the ARP reply judgment section 20 outputs the noncorrespondence instruction to the ARP proxy reply section 17 .
- the ARP proxy reply section 17 Upon receipt of the no-reply instruction, the ARP proxy reply section 17 discards the received Gratuitous ARP frame (S 16 ). As a result, the ARP reply frame is not transmitted to terminal A 50 and terminal A 50 can grasp the fact that the IP address in the Gratuitous ARP frame (changed IP address) is not used by another terminal.
- terminal B 60 transmits a Gratuitous ARP frame with which the IP address (‘10.0.0.2’) of terminal A 50 is the transmission source and the destination IP address, the source MAC address is ‘00:11:11:11:03’ and the MAC address acquired from the address correspondence holding section 14 is ‘00:11:11:11:11:02’.
- the values are different, a reply instruction is issued. Because an ARP reply frame has been sent back by terminal B 60 , it is clear that the IP address (‘10.0.0.2’) is being used by another terminal (terminal A 50 ) and address duplication has occurred.
- a security switch 10 that improves security without changing the network configuration by performing the same processing as that of the first embodiment can be provided.
- the sixth embodiment will be described next.
- the sixth embodiment is an example in which a defect caused by the update is corrected for an ARP table stored in the respective terminals A 50 and so forth.
- the respective terminals A 50 and so forth have an ARP table in which a set of a MAC address (virtual MAC address or real MAC address) and an IP address are stored.
- the ARP table confirms the entry of the ARP table each time an ARP request frame from terminal A 50 is received and, when the entry of terminal A 50 exists, the entry is updated and, when the entry does not exist, no change is made to the ARP table.
- terminal A 50 transmits the ARP request frame to terminal C 70 .
- the source address of the frame is the IP and real MAC address of terminal A 50 .
- Terminal B 60 receives the frame if the IP address of terminal A 50 exists in the ARP table. As described in the first embodiment or the like, the frame is not a frame addressed to terminal B 60 and the terminal B 60 discards the frame (‘N’ in S 41 , S 47 ).
- a terminal-side frame transceiver section 61 rewrites the corresponding virtual MAC address with the real MAC address of terminal A 50 .
- terminal B 60 acquires the real MAC address of terminal A 50 and communication can be performed without passage through the security switch 10 .
- an ARP request frame when the ARP request frame is transmitted in order to acquire a virtual MAC address from each terminal, an ARP request frame the source IP address of which is an IP address other than its own IP address (the source MAC address is its own MAC address) is transmitted.
- the frame is not received. Accordingly, because the virtual MAC address of the ARP table 63 is not rewritten with a real MAC address, the frames transmitted from the respective terminals can pass through the security switch 10 . Higher security can accordingly be secured.
- the terminal-side frame transceiver section may store an address other than its own IP address in the frame and transmit the frame.
- an IP address that has not been allocated to a terminal in the same subnet (‘10.0.5’ to ‘10.0.0.256’ and so forth in the example in FIG. 10 , for example) may be used.
- the sixth embodiment is a frame for which the source IP address and destination IP address are different when the frame is used as the Gratuitous ARP frame of the fifth embodiment.
- the ARP reply control section 62 discriminates the frame by checking that the set of the destination IP address, which indicates that the source IP address is the special IP address or the Gratuitous ARP frame, and the source address is registered in the ARP reply control section 62 .
- the sixth embodiment allows the first embodiment above to be implemented and exhibits the same operating effects as those of the first embodiment and so forth.
- the seventh embodiment will be described next.
- the seventh embodiment is an example of log collection and can be implemented by any of the first to sixth embodiments hereinabove.
- FIG. 20 is an example of the network configuration of the seventh embodiment. Logs of the communications between terminals A 50 and B 60 are collected by the security switch 10 or by a log collection terminal 90 . The remaining constitution is the same as that of the first embodiment.
- a case where logs are collected by the security switch 10 involves installing a storage device (hard disk or memory or the like) in the security switch 10 and the security switch 10 storing the logs of the received frames in the storage device.
- a storage device hard disk or memory or the like
- a case where logs are collected by the log collection terminal 90 involves connecting the log collection terminal 90 (dot-chain frame in FIG. 20 ) to a specified port of the security switch 10 , copying the frame to the port when the security switch 10 receives the frame, and the log collection terminal 90 collecting logs of the frames transferred from the security switch 10 .
- logs can be collected because a path through the security switch 10 is established in the communication made between terminals A 50 and B 60 as a result of (Phase 3) in the first embodiment, for example.
- FIG. 21 shows an example of logs collected in the security switch 10 or log collection terminal 90 .
- This is an example of log data that uses a tool such as a ‘tcpdump’ when telnet communication is performed from terminal A 50 (‘10.0.0.2’) to terminal B 60 (‘10.0.0.3’), for example.
- a tool such as a ‘tcpdump’ when telnet communication is performed from terminal A 50 (‘10.0.0.2’) to terminal B 60 (‘10.0.0.3’), for example.
- This is an example of four frames' worth of log data.
- Such log data is recorded in the storage device of the security switch 10 or the log collection terminal 90 .
- FIGS. 22 and 23 are examples of flowcharts of the security switch 10 that include log collection.
- FIG. 22 shows an example of a case where a security check is not executed and only log collection is performed and
- FIG. 23 shows an example of a case where both a security check and log collection are performed.
- the security switch 10 collects traffic logs (S 120 ).
- the logs are stored in the storage device of the security switch 10 and transferred to the log collection terminal 90 , for example.
- the subsequent processing is the same as that of the first embodiment.
- the security switch 10 performs log collection (S 120 ) and then performs normal frame confirmation (S 25 ), as shown in FIG. 23 .
- the subsequent processing is the same as that of the first embodiment.
- the logs of the frames transmitted between terminals A 50 and B 60 can be collected by the security switch 10 or the log collection terminal 90 . Because the first embodiment or the like can also be implemented, the same effects as those of the first embodiment are also exhibited.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
Claims (15)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006-187903 | 2006-07-07 | ||
JP2006187903A JP4732257B2 (en) | 2006-07-07 | 2006-07-07 | Relay device, route control method, and route control program |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080008192A1 US20080008192A1 (en) | 2008-01-10 |
US7756140B2 true US7756140B2 (en) | 2010-07-13 |
Family
ID=38919076
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/602,633 Expired - Fee Related US7756140B2 (en) | 2006-07-07 | 2006-11-21 | Relay device, path control method, and path control program |
Country Status (2)
Country | Link |
---|---|
US (1) | US7756140B2 (en) |
JP (1) | JP4732257B2 (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080209071A1 (en) * | 2006-12-18 | 2008-08-28 | Fujitsu Limited | Network relay method, network relay apparatus, and network relay program |
US20090190598A1 (en) * | 2004-01-14 | 2009-07-30 | Peter Skov Christensen | Ethernet address management system |
US20110179486A1 (en) * | 2008-10-10 | 2011-07-21 | Plustech Inc. | Method for neutralizing the arp spoofing attack by using counterfeit mac addresses |
US20120140281A1 (en) * | 2009-05-13 | 2012-06-07 | Canon Kabushiki Kaisha | Network communication apparatus, method and program |
US8819818B2 (en) | 2012-02-09 | 2014-08-26 | Harris Corporation | Dynamic computer network with variable identity parameters |
US8898795B2 (en) * | 2012-02-09 | 2014-11-25 | Harris Corporation | Bridge for communicating with a dynamic computer network |
US8898782B2 (en) | 2012-05-01 | 2014-11-25 | Harris Corporation | Systems and methods for spontaneously configuring a computer network |
US8935780B2 (en) | 2012-02-09 | 2015-01-13 | Harris Corporation | Mission management for dynamic computer networks |
US8935786B2 (en) | 2012-05-01 | 2015-01-13 | Harris Corporation | Systems and methods for dynamically changing network states |
US8959573B2 (en) | 2012-05-01 | 2015-02-17 | Harris Corporation | Noise, encryption, and decoys for communications in a dynamic computer network |
US8966626B2 (en) | 2012-05-01 | 2015-02-24 | Harris Corporation | Router for communicating data in a dynamic computer network |
US9075992B2 (en) | 2012-05-01 | 2015-07-07 | Harris Corporation | Systems and methods for identifying, deterring and/or delaying attacks to a network using shadow networking techniques |
US9130907B2 (en) | 2012-05-01 | 2015-09-08 | Harris Corporation | Switch for communicating data in a dynamic computer network |
US9154458B2 (en) | 2012-05-01 | 2015-10-06 | Harris Corporation | Systems and methods for implementing moving target technology in legacy hardware |
US9264496B2 (en) | 2013-11-18 | 2016-02-16 | Harris Corporation | Session hopping |
US9338183B2 (en) | 2013-11-18 | 2016-05-10 | Harris Corporation | Session hopping |
US9503324B2 (en) | 2013-11-05 | 2016-11-22 | Harris Corporation | Systems and methods for enterprise mission management of a computer network |
US10122708B2 (en) | 2013-11-21 | 2018-11-06 | Harris Corporation | Systems and methods for deployment of mission plans using access control technologies |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070140121A1 (en) * | 2005-12-21 | 2007-06-21 | Chris Bowman | Method of preventing denial of service attacks in a network |
US8077720B2 (en) * | 2007-02-27 | 2011-12-13 | Alcatel-Lucent Usa Inc. | Methods and devices for generating and forwarding translated MAC addresses |
JP2009003625A (en) * | 2007-06-20 | 2009-01-08 | Yokogawa Electric Corp | Field apparatus |
US8369343B2 (en) * | 2008-06-03 | 2013-02-05 | Microsoft Corporation | Device virtualization |
JP5083051B2 (en) * | 2008-06-06 | 2012-11-28 | 富士通株式会社 | Monitoring system, monitoring device, monitored device, and monitoring method |
EP2150028A1 (en) * | 2008-07-31 | 2010-02-03 | Nokia Siemens Networks OY | Method and device for address translation and communication system comprising such device |
KR101253931B1 (en) * | 2008-12-25 | 2013-04-16 | 미쓰비시덴키 가부시키가이샤 | Communication management device, communication device, and communication method |
CN101888388A (en) * | 2010-07-15 | 2010-11-17 | 中兴通讯股份有限公司 | Method and device for realizing virtual media access control address |
BR112014000649A2 (en) * | 2011-07-12 | 2017-02-14 | Furukawa Electric Co Ltd | communication device and communication system |
CN105611648B (en) | 2011-12-23 | 2018-04-10 | 华为技术有限公司 | The trunking method and wireless relay apparatus of a kind of wireless relay apparatus |
JP5426717B2 (en) * | 2012-04-23 | 2014-02-26 | エスアイアイ・ネットワーク・システムズ株式会社 | Layer 2 connection device, communication system, and communication method |
TWI474668B (en) * | 2012-11-26 | 2015-02-21 | Method for distinguishing and blocking off network node | |
TWI491233B (en) * | 2012-11-26 | 2015-07-01 | Sofnet Corp | Method for recognizing event of network node |
CN104038425B (en) | 2013-03-06 | 2018-01-02 | 阿里巴巴集团控股有限公司 | The method and apparatus for forwarding ether network packet |
JP5339654B1 (en) * | 2013-04-15 | 2013-11-13 | 株式会社Sousou | Wireless relay system for IEEE802.11 standard communication and IEEE802.15.4 standard communication |
US9521219B2 (en) * | 2014-01-20 | 2016-12-13 | Echelon Corporation | Systems, methods, and apparatuses using common addressing |
TWI543562B (en) * | 2014-01-29 | 2016-07-21 | 三泰科技股份有限公司 | A network control device, the network control system and the method of the remote device |
JP5729796B1 (en) * | 2014-06-30 | 2015-06-03 | Necプラットフォームズ株式会社 | Gateway device, communication system, communication method, and communication program |
US10419337B2 (en) * | 2014-11-26 | 2019-09-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods, routing device and further routing device for managing data frames in switched networks |
EP3091715A1 (en) * | 2015-05-06 | 2016-11-09 | Thomson Licensing | Method for allocating internet protocol addresses to clients of a network and corresponding apparatus |
JP7135870B2 (en) * | 2019-01-07 | 2022-09-13 | 富士通株式会社 | DETECTION DEVICE, DETECTION METHOD, AND DETECTION PROGRAM |
CN109819062B (en) * | 2019-01-25 | 2021-06-11 | 视联动力信息技术股份有限公司 | Method and device for accessing network by using virtual MAC address |
WO2021001939A1 (en) * | 2019-07-02 | 2021-01-07 | 日本電信電話株式会社 | Optical network unit, communication network system, and communication method |
CN110366173A (en) * | 2019-08-23 | 2019-10-22 | 中国联合网络通信集团有限公司 | A kind of method that realizing terminal equipment access network and gateway |
KR102298736B1 (en) * | 2019-12-30 | 2021-09-07 | 주식회사 안랩 | Apparatus and method for concealing network, computer-readable storage medium and computer program for controlling the holder device |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5724510A (en) * | 1996-09-06 | 1998-03-03 | Fluke Corporation | Method of configuring a valid IP address and detecting duplicate IP addresses in a local area network |
US5920699A (en) * | 1996-11-07 | 1999-07-06 | Hewlett-Packard Company | Broadcast isolation and level 3 network switch |
JP2003318934A (en) | 2002-04-18 | 2003-11-07 | Hitachi Cable Ltd | Switching hub |
US6754716B1 (en) * | 2000-02-11 | 2004-06-22 | Ensim Corporation | Restricting communication between network devices on a common network |
US20060088037A1 (en) * | 2004-10-21 | 2006-04-27 | International Business Machines Corporation | Preventing asynchronous ARP cache poisoning of multiple hosts |
US20060206588A1 (en) * | 2005-03-10 | 2006-09-14 | Nobuyuki Saika | Information processing system and method |
US20070201490A1 (en) * | 2005-07-13 | 2007-08-30 | Mahamuni Atul B | System and method for implementing ethernet MAC address translation |
US7356032B1 (en) * | 2002-11-01 | 2008-04-08 | Bbn Technologies Corp. | System and method for reducing broadcast traffic wireless access-point networks |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH06318945A (en) * | 1993-05-07 | 1994-11-15 | Sharp Corp | Mutual connection device between networks |
JP3676243B2 (en) * | 2001-02-02 | 2005-07-27 | 三菱電機株式会社 | Network system and network connection device |
-
2006
- 2006-07-07 JP JP2006187903A patent/JP4732257B2/en not_active Expired - Fee Related
- 2006-11-21 US US11/602,633 patent/US7756140B2/en not_active Expired - Fee Related
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5724510A (en) * | 1996-09-06 | 1998-03-03 | Fluke Corporation | Method of configuring a valid IP address and detecting duplicate IP addresses in a local area network |
US5920699A (en) * | 1996-11-07 | 1999-07-06 | Hewlett-Packard Company | Broadcast isolation and level 3 network switch |
US6754716B1 (en) * | 2000-02-11 | 2004-06-22 | Ensim Corporation | Restricting communication between network devices on a common network |
JP2003318934A (en) | 2002-04-18 | 2003-11-07 | Hitachi Cable Ltd | Switching hub |
US7356032B1 (en) * | 2002-11-01 | 2008-04-08 | Bbn Technologies Corp. | System and method for reducing broadcast traffic wireless access-point networks |
US20060088037A1 (en) * | 2004-10-21 | 2006-04-27 | International Business Machines Corporation | Preventing asynchronous ARP cache poisoning of multiple hosts |
US20060206588A1 (en) * | 2005-03-10 | 2006-09-14 | Nobuyuki Saika | Information processing system and method |
US20070201490A1 (en) * | 2005-07-13 | 2007-08-30 | Mahamuni Atul B | System and method for implementing ethernet MAC address translation |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090190598A1 (en) * | 2004-01-14 | 2009-07-30 | Peter Skov Christensen | Ethernet address management system |
US8401024B2 (en) * | 2004-01-14 | 2013-03-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Ethernet address management system |
US20080209071A1 (en) * | 2006-12-18 | 2008-08-28 | Fujitsu Limited | Network relay method, network relay apparatus, and network relay program |
US8224988B2 (en) * | 2006-12-18 | 2012-07-17 | Fujitsu Limited | Network relay method, network relay apparatus, and network relay program |
US20110179486A1 (en) * | 2008-10-10 | 2011-07-21 | Plustech Inc. | Method for neutralizing the arp spoofing attack by using counterfeit mac addresses |
US8578488B2 (en) * | 2008-10-10 | 2013-11-05 | Plustech Inc. | Method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses |
US20120140281A1 (en) * | 2009-05-13 | 2012-06-07 | Canon Kabushiki Kaisha | Network communication apparatus, method and program |
US8964602B2 (en) * | 2009-05-13 | 2015-02-24 | Canon Kabushiki Kaisha | Network communication apparatus, method and program |
US8935780B2 (en) | 2012-02-09 | 2015-01-13 | Harris Corporation | Mission management for dynamic computer networks |
US8819818B2 (en) | 2012-02-09 | 2014-08-26 | Harris Corporation | Dynamic computer network with variable identity parameters |
US8898795B2 (en) * | 2012-02-09 | 2014-11-25 | Harris Corporation | Bridge for communicating with a dynamic computer network |
US9075992B2 (en) | 2012-05-01 | 2015-07-07 | Harris Corporation | Systems and methods for identifying, deterring and/or delaying attacks to a network using shadow networking techniques |
US8959573B2 (en) | 2012-05-01 | 2015-02-17 | Harris Corporation | Noise, encryption, and decoys for communications in a dynamic computer network |
US8966626B2 (en) | 2012-05-01 | 2015-02-24 | Harris Corporation | Router for communicating data in a dynamic computer network |
US8935786B2 (en) | 2012-05-01 | 2015-01-13 | Harris Corporation | Systems and methods for dynamically changing network states |
US8898782B2 (en) | 2012-05-01 | 2014-11-25 | Harris Corporation | Systems and methods for spontaneously configuring a computer network |
US9130907B2 (en) | 2012-05-01 | 2015-09-08 | Harris Corporation | Switch for communicating data in a dynamic computer network |
US9154458B2 (en) | 2012-05-01 | 2015-10-06 | Harris Corporation | Systems and methods for implementing moving target technology in legacy hardware |
US9503324B2 (en) | 2013-11-05 | 2016-11-22 | Harris Corporation | Systems and methods for enterprise mission management of a computer network |
US9264496B2 (en) | 2013-11-18 | 2016-02-16 | Harris Corporation | Session hopping |
US9338183B2 (en) | 2013-11-18 | 2016-05-10 | Harris Corporation | Session hopping |
US10122708B2 (en) | 2013-11-21 | 2018-11-06 | Harris Corporation | Systems and methods for deployment of mission plans using access control technologies |
Also Published As
Publication number | Publication date |
---|---|
JP4732257B2 (en) | 2011-07-27 |
JP2008017278A (en) | 2008-01-24 |
US20080008192A1 (en) | 2008-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7756140B2 (en) | Relay device, path control method, and path control program | |
US8543669B2 (en) | Network switch and method of preventing IP address collision | |
US20080060067A1 (en) | Ip management Method and Apparatus for Protecting/Blocking Specific Ip Address or Specific Device on Network | |
US8892725B2 (en) | Method for network anomaly detection in a network architecture based on locator/identifier split | |
US7167922B2 (en) | Method and apparatus for providing automatic ingress filtering | |
Nam et al. | Enhanced ARP: preventing ARP poisoning-based man-in-the-middle attacks | |
CN100477620C (en) | On-line intrusion detection using a single physical port | |
US8189580B2 (en) | Method for blocking host in IPv6 network | |
EP1906591B1 (en) | Method, device, and system for detecting layer 2 loop | |
US7570625B1 (en) | Detection of wireless devices | |
KR100807933B1 (en) | System and method for detecting arp spoofing and computer readable storage medium storing program for detecting arp spoofing | |
CN101674306B (en) | Address resolution protocol message processing method and switch | |
US6965577B1 (en) | Identifying an edge switch and port to which a network user is attached | |
US20100189114A1 (en) | Network communication node | |
CN1905495B (en) | Network monitoring device, network monitoring method, network system and network communication method | |
US7613179B2 (en) | Technique for tracing source addresses of packets | |
US20110075561A1 (en) | Method and Apparatus for Handling a Switch Using a Preferred Destination List | |
Cisco | DECnet Commands | |
Cisco | DECnet Commands | |
Cisco | DECnet Commands | |
JP4319609B2 (en) | Attack path analysis device, attack path analysis method and program | |
KR20040011936A (en) | Switching apparatus for ethernet having a plurality of vlans and communication method by using same | |
US20210258255A1 (en) | Management of network addresses | |
Parr | More fault tolerant approach to address resolution for a Multi-LAN system of Ethernets | |
Ammann | Network forensic readiness: a bottom-up approach for IPv6 networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
XAS | Not any more in us assignment database |
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MATOBA, KAZUMINE;REEL/FRAME:018611/0413 |
|
AS | Assignment |
Owner name: FUJITSU LIMITED, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MATOBA, KAZUMINE;REEL/FRAME:018925/0523 Effective date: 20061030 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552) Year of fee payment: 8 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20220713 |